| Message ID | 1331032975-5303-7-git-send-email-pablo@netfilter.org |
|---|---|
| State | Accepted, archived |
| Delegated to: | David Miller |
| Headers | show |
From: pablo@netfilter.org Date: Tue, 6 Mar 2012 12:22:55 +0100 > From: Pablo Neira Ayuso <pablo@netfilter.org> > > If reliable event delivery is enabled and ctnetlink fails to deliver > the destroy event in early_drop, the conntrack subsystem cannot > drop any the candidate flow that was planned to be evicted. > > Reported-by: Kerin Millar <kerframil@gmail.com> > Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Applied. > + /* Check if we indeed killed this entry. Reliable event > + delivery may have inserted it into the dying list. */ > + if (test_bit(IPS_DYING_BIT, &ct->status)) { Please don't allow misformatted comments like this into your tree next time, this should be: /* Check if we indeed killed this entry. Reliable event * delivery may have inserted it into the dying list. */ -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Tue, Mar 06, 2012 at 03:16:18PM -0500, David Miller wrote: > From: pablo@netfilter.org > Date: Tue, 6 Mar 2012 12:22:55 +0100 > > > From: Pablo Neira Ayuso <pablo@netfilter.org> > > > > If reliable event delivery is enabled and ctnetlink fails to deliver > > the destroy event in early_drop, the conntrack subsystem cannot > > drop any the candidate flow that was planned to be evicted. > > > > Reported-by: Kerin Millar <kerframil@gmail.com> > > Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> > > Applied. > > > + /* Check if we indeed killed this entry. Reliable event > > + delivery may have inserted it into the dying list. */ > > + if (test_bit(IPS_DYING_BIT, &ct->status)) { > > Please don't allow misformatted comments like this into your > tree next time, this should be: > > /* Check if we indeed killed this entry. Reliable event > * delivery may have inserted it into the dying list. > */ Thanks for spotting this. Will in the future (probably some patches that I took for net-next may not follow this format either, but for upcoming patches I will). -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c index ed86a3b..fa4b82c 100644 --- a/net/netfilter/nf_conntrack_core.c +++ b/net/netfilter/nf_conntrack_core.c @@ -635,8 +635,12 @@ static noinline int early_drop(struct net *net, unsigned int hash) if (del_timer(&ct->timeout)) { death_by_timeout((unsigned long)ct); - dropped = 1; - NF_CT_STAT_INC_ATOMIC(net, early_drop); + /* Check if we indeed killed this entry. Reliable event + delivery may have inserted it into the dying list. */ + if (test_bit(IPS_DYING_BIT, &ct->status)) { + dropped = 1; + NF_CT_STAT_INC_ATOMIC(net, early_drop); + } } nf_ct_put(ct); return dropped;